Pentagon Didn’t Check Risks Before Authorizing Cloud Services, IG Finds – By Edward Graham (Defense One) / Feb 22, 2023
The military branches “may be unaware of known vulnerabilities and cybersecurity risks associated with operating their systems or storing their data,” the Pentagon inspector general found.
Defense Department officials who authorized the use of commercial cloud services across components of the agency did not review all required documentation needed to determine potential security concerns, leaving DOD’s armed forces unaware of vulnerabilities and cybersecurity risks across their systems, according to an audit publicly released by the agency’s Office of Inspector General on Feb. 16.
The partially redacted report was conducted “to determine whether DOD components complied with federal and DOD security requirements when using commercial cloud services.” The IG “nonstatistically” selected five cloud systems—which used three different commercial cloud service offerings, or CSOs—for review from the Air Force, Army, Marine Corps and Navy, all of which, the audit said, were “Federal Risk and Authorization Management Program (FedRAMP) and DOD authorized and at the appropriate DOD impact level for the five systems reviewed.”
Since 2011, the Pentagon “has acquired commercial cloud services to meet mission needs,” with the agency’s component authorizing officials—or AOs—”responsible for granting the system‑level authorization to operate (ATO) when using authorized commercial cloud service offerings.” And the agency has placed a growing emphasis on acquiring and leveraging commercial cloud services in recent years, with the IG’s audit noting that the agency “spent approximately $893 million on commercial cloud services in FY 2020, $940 million in FY 2021 and requested over $1.12 billion for FY 2022.”
